Intel Intelligencer: Hacking Cop Cars; Euro Cash; SMILE Conference

Posted on 9 May 2011 by


This week we’re going to talk about a couple of new publications and then a preview of the talk I’ll give at the SMILE Conference in Chicago, where Dave and I will be for the next three days.

Last week we talked a little bit about Europol’s EU Organized Crime Threat Assessment, which has a treasure trove of new metrics and a wide range of intelligence which is of use to crime and intelligence analysts seeking information on crime trends.

We still recommend reading it. I was having a conversation with a former UK cop and current computer forensics investigator who pointed out – and I should have as well – that the thing about the European banks threatening to make EU-only their payment cards isn’t new.

I did point this out on the cash issue (the fact that the €500 banknote is, in the report’s words, ‘almost exclusively the preserve of criminals‘) because that has been a concern since well before Euro cash was even available. I should have mentioned the card issue is kind of old too.

Well, I’ll mention it now. However I’ll mention that the reason we here take this old threat more seriously now is (and I did allude to this) that there is a growing rift between banks in Europe and the US over the paucity of actual – as opposed to perceived – security controls.

For the unitiated, almost all payment cards in Europe use what’s referred to as the “Chip+PIN” system, in which the card contains the magnetic strip and a computer chip which provides further security and PIN confirmation.  It’s far from perfect. There have been security problems – researchers broke it in 2010. But it’s substantially, empirically better than our system of total reliance on untrained and possibly dishonest cashiers confirming signatures, or using magnetic strips – which as we’ve seen, are the frequent target of skimmers. For their part, US card providers have long bemoaned Chip+Pin and said that it’s too expensive and doesn’t provide sufficient security, both arguments are right up there with the yarn about your dog and your homework.

Instead of actual security, the Payment Card Industry in the US has promoted the significantly crappy Payment Card Industry Data Security Standard to hold sway, and frankly, Europeans are just sick and tired of paying through the nose for this short-sighted, arrogant and wrong behavior. US banks are starting to move to Chip+PIN (see, for example, Ed Perkins of USAToday on this) but it will be a while.

Pwning a Cop Car
Last week it came out that a security research firm had broken into a cop car’s data network, and downloaded streaming video from the dash cam. Kevin Finisterre of the security research firm Digital Munition wrote a report called Owning A Cop Car, which you should read.

The attack’s details are all in there, but in a nutshell the team saw some very low hanging fruit, oened a Telnet (plain text) session without a password, looked around, then Googled the name of the product listed in the Telnet “welcome” banner, found the manual of the video camera, found the default password, tried it, it worked, they got in and were able to do things like streaming live video from a police cruiser.

An embedded semi-proprietary commercial solution was used as the communications hub inside each cruiser. The city ultimately had little control over the internal configuration or mechanics of these devices. For the most part the city put a certain level of trust in the vendor to make sure that there were no mission critical errors in the setup.

Upon completion of the testing one of the engineers at the city [which had hired Digital Munition] was actually quite relieved that we discovered what we did. He told us that he had made an attempt to contact the vendor with some concerns about an unintentional bridging of the cellular interface with the internal LAN interface. The vendor support team basically told him it was “impossible” and that he must be mistaken.

The aftermath was that vendors started pointing fingers, but all of them, plus some ill-informed cops, agreed that Digital Munition is a poopy-head for pointing out this heinously stupid, unforgivably trivially-exploitable vulnerability.

Shame on them.

Turns out that the video camera most likely is repurposed from that of a school bus, which pisses me off no end, because as we’ve written here, police technology must be integrated, simple and have utility. And by, “Utility” we probably certainly mean that the product should keep out curious ten-year-olds using free tools that come with every computer from accessing streaming video of, for example, me driving home to my house in my take-home cruiser.

I’m just sayin. As did Dan Goodin at The Register last week, when he first wrote of this important story:

The ability for civilians to secretly spy on officers responding to calls could have serious consequences for their safety. What’s more, allowing unauthorized people to view and alter video stored on cruisers could torpedo court cases that rely on the DVRs for evidence.

That there is pretty much the beginning of my talk today at the SMILE Conference – the Social Media and Internet in Law Enforcement shindig – at the Chicago Police Department.

Cops don’t hate technology, but cops hate technology that makes their job harder. And cops hate technology that looks to solve problems they didn’t know they had, as opposed to processes which drive them crazy. Simply put, cops don’t like being forced to learn yet another thing that won’t work with – but must be used – with everything he already has. And if he does it wrong or screws it up, he gets to get in trouble. In this frank and plainly-worded talk, Selby outlines the keys to getting cops to want more and newer technology are: Integration, simplification, utility. It may seem obvious, yet Selby submits that if it were obvious, technology vendors would have provided this to us already. Selby covers key points in how to talk to and work with vendors and demand that their tools work better with what we’ve already bought, so we leverage what we have as opposed to adding to our workload.

When you look at what I just said about the Digital Munition hack, I hope you’ll agree that it is a good place to start any discussion on police technology.